We are running Control-M v8 and have a requirement to strengthen security, specifically to limit the scripts and commands that can be run on a given set of Agents by Control-M.

Currently we run the Agents as root and have security "switched on" on the Control-M Server (i.e. jobs can only run as owners and nodes as specified in ctmsec). The concern now is that the Control-M Administrator can run whatever they wish to. To mitigate this the suggestion is to change the Agents involved (and not all Agents are) to non-root mode. The selected Control-M Agents will be running under a very basic userid with only access to run commands/scripts (and via specified owners) that are listed in the sudoers file on the Agent platform (the Control-M Admin will not have access to this, only the Unix Admin will).

Has anybody implemented anything like this? Whatever we implement it would have to be a solution that the Control-M Admin could not subsequently circumvent. Is there a better way of cracking this issue? We just need to be able to guarantee that the Control-M Admin isn't doing anything bad (as if we would!) on these servers.

I know Version 9.1 allows the Agents to be set to "sudo" mode but does this also allow for the Unix guys to set the commands/scripts that can be executed (and not just to specify the valid userids)?

The sudo mode should be the answer to your problem. The sudoers can be customized to allow only what the Unix admins want to allow. That may cause problems however, if the jobs starts an allowed scripts that invokes commands not allowed under the sudo profiles, or accesses directories not allowed via other methods.

When the Unix agent runs as root, it basically executes su - <user> -c <command>. The sudo execution does the same under sudo supervision.

There is no way that the Control-M admins can go around this sudo configuration, unless they have other user or permissions to change the sudoers files, in which case, why bother...

The control-m server security is set mostly so the schedulers will not be able to do what they are not allowed, but a Control-M Admin can change that as they see fit, so it is like telling the Unix security person that they cannot perform security changes. You have to trust someone at some level, and that is where checks, balances, and processes come into play.

I would upgrade your agents to v9 FP1 (at least) and implement the sudo feature, and test it, as with restrictive security you may run into other problems, like SE Linux settings and such.